three word password

The UK’s National Cyber Security Research Centre (NCSC) recently recommended passwords that combine three random words rather than complex variations of letters and numbers. An example: DinosaurHeadphonesUmbrella!” The old way of doing things, “Mypw4life!”, the NCSC claims, doesn’t work as well.

This is a great suggestion in theory, but maybe not entirely great in practice. Three words, even chosen at random, are easier to remember than complicated mixtures of numbers, letters, and punctuation, especially since being a single digit off means you’ve locked yourself out of your account. 

It’s also harder for machines to guess. Many programs designed to crack passwords through brute force will run through every possible combination until it manages to find the right one (“a,” “aa,” “aaa,” “aaa!” and so on). 

Three random words strung together would take significantly longer to crack, especially with a 25-30 character password. It may be simpler to compromise a short, complicated string like “24ddw34~2!@”, but it doesn’t crack faster than the three-word approach. 

The downside: three words introduces greater predictability, which is exactly what hackers want. Add to this issue the fact that many users will gravitate to the names of their children or pets in passwords, which is why that information is often scraped from social media accounts. 

The same goes for favorite sports teams, movies, interests or hobbies. If you’re going to use a combination of three words, a hacker will then know to incorporate relatively common words in threes. QuantumCarrotRoulette seems nonsensical, but all you really need is an online dictionary, internet access and time and you can guess it eventually. That said, no matter how scrapable the rudiments of your three-word password are, this method of securing an account is infinitely better than what passes for a password for the majority of people out there. 

At the end of the day, it helps to make your passwords longer, but it’s no substitute for good cyberhygiene. Whenever possible, you should use 2-factor authentication, which requires confirmation from a separate device, typically a smartphone. If the idea of keeping track of which account “BurritoProjectorDoomsday1” belongs to sounds frustrating, consider using a password manager. 

Whatever you do, it’s a good idea to consider yourself vulnerable, and do what you can to minimize your attackable surface. The keys to good cyberhygiene: minimize your exposure, monitor your accounts and manage the damage when the inevitable occurs. For more, check out this article on Adam’s 3 Ms.